Trust Issues: What Do All these JSON files actually mean?

As cloud security practitioners, we spend our days wrangling IAM policies — but for all the JSON we manage, it’s still surprisingly hard to answer basic questions like: “Who can access this S3 bucket?” or “What can this role actually do?” Understanding AWS permissions in practice means piecing together policies across services, accounts, organizations, and trust layers. And because those policies are often managed by different teams or scattered across pipelines, it’s difficult to reason about what’s truly possible in a deployed environment.

This talk explores a pragmatic approach to verifying effective IAM permissions: simulating what AWS IAM actually allows across all policy layers, and exposing the results in a way that clearly shows who can do what, and why. Rather than replacing pre-deploy linters or policy review processes, this system complements them by analyzing deployed IAM configuration and evaluating real-world access across identities, resources, and trust relationships. Want to know which principals have s3:GetObject access to your prod bucket? Or which external accounts can assume a sensitive role? We’ll show how to answer those questions—quickly, clearly, and without hand-parsing several JSON files.

You’ll leave with a new set of tools for understanding how IAM really works in your environment. This session includes a demo and an open-source project built to support these workflows.

If you have an interest in increasing your understanding of IAM configurations within AWS, please join us on Monday, July 14th. We look forward to seeing you there!

= Speaker(s) =

David Kerber

Dave is an engineer and longtime AWS practitioner with a focus on IAM and AWS security tooling. He’s led product and engineering teams at startups and billion-dollar companies, raised millions from VCs, built two CSPMs, and now consults on AWS security for Fortune 500 companies. He maintains open-source projects in the AWS IAM space and is currently obsessed with perfecting his focaccia.

= Slack =

We now have a Slack workgroup associated with the Omaha AWS Meetup. Please use this link to join the conversation over on Slack!

https://join.slack.com/t/omahaawsmeetup/shared_invite/zt-2k30k17n4-dYb4N0oLCYP_MibUp7bCLg

= Quick Update =

Social (half) Hour will start at 5:30pm with the talk starting promptly at 6pm. Please join us for social hour for some food, drink, and mingling!

= Meeting Location =

We meet in person at the Improving office, located at:

18881 West Dodge Road
Suite 120E
Omaha, NE 68022

= Sponsors =

Improving – It's what we do.™
www.improving.com
Technology Consulting | Software Engineering | Training & Coaching | Project Outsourcing